Date: Thu, 12 Jan 2012 08:29:12 +0100 From: Alex Dupre <ale@FreeBSD.org> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: freebsd-net@FreeBSD.org Subject: Re: Filtering on IPSEC Message-ID: <4F0E8BC8.2020703@FreeBSD.org> In-Reply-To: <6B1A8EF0-C5BA-4EF3-B886-8F7C490564E5@lists.zabbadoz.net> References: <4F0DD127.4040205@FreeBSD.org> <6B1A8EF0-C5BA-4EF3-B886-8F7C490564E5@lists.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Bjoern A. Zeeb ha scritto: > Need more input. A) why are using gif? B) are you using transport mode? I'm using gif, because the official FreeBSD documentation says so (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html). My configuration is very similar to what described in that page. If that's not the correct way, I'll fix the documentation after understanding the right procedure. I'm using tunnel mode for network to network vpn. > NAT before IPSEC can be done with ipfw, not with pf, don't know about ipfilter. Can you elaborate a little more about the reason ipfw can and pf cannot? Is it because with ipfw/nat the packet is reinjected with the translated src IP and so matched by SPD? Currently, with my setup and pf, I faced exactly these two problems (SPD match before translation and i/o on different interfaces). I think it's not so uncommon that the two networks may collide, so assigning a "good" ip to one endpoint gateway and making NAT on it should be well documentated in our handbook. If you give me a hint on how this could be achieved with ipfw I'll update the docs accordingly. Thanks for your support. -- Alex Dupre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F0E8BC8.2020703>